CVE-2026-40042

CRITICAL EPSS 29.2%

Published Apr 13, 20262mo ago · Modified Jun 17, 20261w ago

9.3 CVSS 4.0

Critical

Published Apr 13, 2026 2mo ago

Last Modified Jun 17, 2026 1w ago

Description

Pachno 1.0.6 contains an XML external entity injection vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting unsafe XML parsing in the TextParser helper. Attackers can inject malicious XML entities through wiki table syntax and inline tags in issue descriptions, comments, and wiki articles to trigger entity resolution via simplexml_load_string() without LIBXML_NONET restrictions.

CVSS Details

Base Score

9.3

Exploitability

—

Impact

—

Vector string

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector Network

Attack Complexity Low

Privileges Required None

User Interaction None

Scope X

Threat Intelligence

EPSS Exploit Probability

29.2% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 1

CWE-403

References 2

vulncheck.com https://www.vulncheck.com/advisories/pachno-wiki-textparser-xml-external-entity-injection
zeroscience.mk https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5984.php

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.